Bugzilla – Bug 1001212
VUL-0: CVE-2016-7424: libav: NULL pointer dereference in put_no_rnd_pixels8_xy2_mmx (rnd_template.c)
Last modified: 2017-05-31 13:37:43 UTC
http://seclists.org/oss-sec/2016/q3/539 https://blogs.gentoo.org/ago/2016/09/17/libav-null-pointer-dereference-in-put_no_rnd_pixels8_xy2_mmx-rnd_template-c/ A fuzzing, with an mp3 file as input, discovered a null pointer access in put_no_rnd_pixels8_xy2_mmx. Input #0, h263, from '9.crashes' AddressSanitizer: SEGV on unknown address put_no_rnd_pixels8_xy2_mmx libav-11.7/libavcodec/x86/rnd_template.c:37:5 https://git.libav.org/?p=libav.git;a=commit;h=136f55207521f0b03194ef5b55ba70f1635d6aee > mpegvideo_motion: Handle edge emulation even without unrestricted_mv > > Fix out of bounds read. > > libavcodec/mpegvideo_motion.c Use CVE-2016-7424. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7424 http://seclists.org/oss-sec/2016/q3/539 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7424.html
bugbot adjusting priority
This still affects openSUSE Leap 42.1, please submit. The package was dropped from Leap 42.2.
42.1 is out of support and libav was dropped from later releases